Stupid Question... Where should I go to file a bug on centos stream? I know for fedora or
rhel, but not this one....
Thanks
On Wed, 2021-12-15 at 09:56 +0100, Antoine Gatineau via FreeIPA-users wrote:
On Wed, 2021-12-15 at 10:49 +0200, Alexander Bokovoy via
FreeIPA-users wrote:
> Hi Antoine,
>
> On ke, 15 joulu 2021, Antoine Gatineau via FreeIPA-users wrote:
> > Hi,
> >
> > This message was probably missed in all the log4shell exchanges.
> > Any hint on how to rebuild the RA certificate with a newer algorythm before
migrating to Centos Stream 9?
>
> The error you have is this:
>
> ----------------------------------------------------------
> Error outputting keys
> andcertificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope
> routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global
> default library context, Algorithm (RC2-40-CBC : 0), Properties()
> ----------------------------------------------------------
>
> This is produced by an OpenSSL 3.0.0 which does not have support for
> legacy ciphers by default. This legacy cipher (RC2-40-CBC) was used by
> PKI releases prior to
>
https://bugzilla.redhat.com/show_bug.cgi?id=1975406 was fixed.
>
> Since in the CA replica installation case we get RA agent key transferred
> securely from CA master, this key would be the one encrypted on CentOS
> Stream 8 and would still use RC2-40-CBC, thus making it impossible to
> consume on OpenSSL 3.0.0-enabled system.
>
> I think we need a bug against IPA to re-encrypt this key on 'earlier'
> system before 'newer' one could be deployed. Adding Christian for
> visibility.
>
> Could you please open one?
Thank you for the quick response. I'll file a bug for that.
Have a good day
>
>
> >
> > Many thanks
> >
> > On Sat, 2021-12-11 at 16:56 +0100, Antoine Gatineau via FreeIPA-users wrote:
> > >
> > > Hello,
> > >
> > > I have currently a 2 node cluster running on CentOS Stream 8. In order to
upgrade to CentOS 9, I have removed one of the replica
> > > from
> > > the
> > > configuration, installed a fresh centos stream 9 and run
ipa-replica-install.
> > > It fails with this error (full log attached):
> > > [22/29]: Importing RA key
> > > Error storing key "keys/ra/ipaCert": CalledProcessError(Command
['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import',
'-']
> > > returned non-zero exit status 1: 'Traceback (most recent call
last):\n File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line
> > > 8, in
> > > <module>\n main(ra_agent_parser())\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line
114, in
> > > main\n
> > > common.main(parser, export_key, import_key)\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py", line
> > > 73,
> > > in
> > > main\n func(args, tmpdir, **kwargs)\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line
69, in
> > > import_key\n ipautil.run(cmd, umask=0o027)\n File
"/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in run\n
> > > raise
> > > CalledProcessError(\nipapython.ipautil.CalledProcessError:
CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\',
\'-in\',
> > > \'/tmp/tmp7jrs5dqp/import.p12\', \'-clcerts\',
\'-nokeys\', \'-out\', \'/var/lib/ipa/ra-agent.pem\',
\'-password\',
> > > \'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero exit status 1:
\'Error outputting keys and
> > > certificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope
> > >
routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global default
library context, Algorithm (RC2-40-CBC : 0),
> > > Properties ()\\n\')\n')
> > > [error] FileNotFoundError: [Errno 2] No such file or directory:
'/var/lib/ipa/ra-agent.key'
> > > Your system may be partly configured.
> > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > >
> > > What can I do to make this upgrade work?
> > > Looks like an unsupported algorithm for the RA key. I tried "sudo
update-crypto-policies --set LEGACY" without success.
> > >
> > >
> > > Thank you
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
> >
> > --
> > Antoine GatineauFreelance IT Consultant
> > Phone: +32 499 50 80 04
> >
Web: https://infra-monkey.com
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Antoine GatineauFreelance IT Consultant
Phone: +32 499 50 80 04
Web: https://infra-monkey.com
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure